CAParty Madrid October 2011

356 views

Published on

CAParty Madrid 2011 - Slides

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
356
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CAParty Madrid October 2011

  1. 1. The PKI CACert CACertA Community-driven Certification Authority Juanjo Amor / Antonio Pe˜a n jjamor@gmail.com apenav@gmail.com 14 October 2011 Juanjo Amor / Antonio Pe˜a n CACert
  2. 2. The PKI CACert (cc) 2011 Juanjo Amor, Antonio Pe˜a and Wikipedia n Some rights reserved. This work licensed under Creative Commons Attribution-ShareAlike License. To view a copy of full license, see http://creativecommons.org/licenses/by-sa/3.0/ or write to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.Juanjo Amor / Antonio Pe˜a n CACert
  3. 3. The PKI CACertPKI concepts PKI meaning... PKI = Public Key Infrastructure a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates PKI components... CA = Certification Authority RA = Registration Authority VA = Validation Authority Public keys (person, server and authority certificates) Policies and procedures Juanjo Amor / Antonio Pe˜a n CACert
  4. 4. The PKI CACertPKI diagram of a public key infrastructure Juanjo Amor / Antonio Pe˜a n CACert
  5. 5. The PKI CACertPKI example 1: Standard CA Standard CAs such as Thawte, Verisign... CA: Joins the CA, RA, VA. Our navigator trusts in signed certificates by that CA The certificate chain informs browser about VA Juanjo Amor / Antonio Pe˜a n CACert
  6. 6. The PKI CACertPKI example 2: The DGP CA Spanish DGP (Police) CA CA: At DGP headquarters RA: At DGP DNIe offices VA: Delegated to third parties (FNMT, for example) This is the CA for spanish electronic ID (DNIe). Also acknowledged for legally identifying people. Juanjo Amor / Antonio Pe˜a n CACert
  7. 7. The PKI CACertWeb of Trust Web of trust Concept created by PGP creator. Instead of having a “central” CA, we can build a trust network of signed public keys. If A signs B, and C trust A, then C could trust B. CACert uses a variant of trust network... Juanjo Amor / Antonio Pe˜a n CACert
  8. 8. The PKI CACertCACert PKI What is CACERT? A community-driven certificate authority. CACERT issues public key certificates to public (server, people) freely. Robot CA: Certificates are automatically signed. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). Web of trust: Meetings, Assurance points, Prospective Assurers and Assures. Assured users can get, for example, email certificates with a complete CommonName field. Juanjo Amor / Antonio Pe˜a n CACert
  9. 9. The PKI CACertCACert inclusion status Can we use CACert server certificates with some browser? Yes, we can import CA certificate and go. . . Yes, my Linux distro (Debian, etc) includes CA certificate in ca-certificates package. No, my browser does not recognize the certificates and I cannot trust to a strange CA.crt file! (Like a self-signed certificate) Although Mozilla started a process to include the certificate, an audit suspended the process, because CACert needed to improve their management system. Juanjo Amor / Antonio Pe˜a n CACert
  10. 10. The PKI CACertCACert web of trust When you create a new CACert account: Only your email can be verified By meeting other CACert assurers you can get some points: for including your real name to your account, to generate better certificates, and finally, to be also a CACert assurer. Juanjo Amor / Antonio Pe˜a n CACert
  11. 11. The PKI CACertCACert web of trust Some rules: An assurer can issue you upto 35 points. You need at least 50 points to have your full name assured . . . so you need to be assured by, at least, two existing assurers With 100 points you can also be an assurer . . . but you also need to pass an “assurer challenge” More rules: When you are promoted to assurer: Initially, you can issue 10 points to other people, and get 2 experience points when you assure somebody After you got 10 experience points, then you can issue 15 points to others . . . When you got 50 experience points, then you can issue to others the maximum per session: 35 points But in any case, you can, if you want, to issue less points than your maximum Juanjo Amor / Antonio Pe˜a n CACert
  12. 12. The PKI CACertCACert client certificates A client certificate is used to: Identify yourself to a web site Email signing ... When you create a CACert account, you can get client certificates: Only the email is certified (by using email-ping) With 6 month expiration When you are assured (50 points) you also get Name and email certified 24 month expiration Juanjo Amor / Antonio Pe˜a n CACert
  13. 13. The PKI CACertCACert server certificates A server certificate is used to: Secure website: identify a server to you When you create a CACert account, you can get server certificates: With 6 month expiration When you are assured (50 points) you also get 24 month expiration In all cases, you need to be able to ping DNS name by receiven a postmaster email from DNS owner, and only website DNS name is assured, because CACert assurers are not able verify legal owner. Juanjo Amor / Antonio Pe˜a n CACert
  14. 14. The PKI CACertLet’s start!! Let’s start!! Juanjo Amor / Antonio Pe˜a n CACert

×